<div dir="ltr">Let me address your points:<div><br></div><div>First, the spoofing does mess with the timing stream. To not mess with the timing stream, the entity doing the spoofing would have to have high-quality NTP-synchronized clocks and somehow generate the GPS I-Q data such that it was perfectly synchronized with real-time. Quite frankly, doing this is orders of magnitude harder than spoofing time and position, especially when operating in a clandestine manner. Note that position is derived from time, not the other way around. </div><div><br></div><div>As far as the relationship to your antenna goes: while it is true that a high-quality GNSS antenna with a pattern pointing up will reduce the likelihood of ground-based interference messing with your signal, the rejection rarely exceeds 10dB. This means that any signal 10dB louder than the GPS signals will override your GPS signals. This level of signal is trivial to produce.</div><div><br></div><div>Let's assume you have a typical GPS-derived NTP server using a typical commercially available timing GNSS module. To convince that receiver that it was a different time, I'd need to have an SDR that would operate in the GPS band. These are widely available for under $500. You'd also need a laptop and a download of a GPS simulator from GitLab. With a total investment of $500 (assuming I already have a laptop), I now have a system that can generate a GPS signal to convince your GPS receiver that it's any time at all. If you're a tech neophyte, there are youtube videos on how to do this.</div><div><br></div><div>All I need to do now is add appropriate antennas and/or amplifiers to overcome the official GNSS signals. As you pointed out, depending on the location and directivity of your antenna, this is either trivial or becomes slightly more difficult. If I can see your antenna, it becomes a lot cheaper as I just need a relatively low-powered amplifier and a highly directional antenna. If I can't see your antenna, I would opt for a higher-power amplifier and a less directional transmit antenna to blanket a wide area with the spoofed signal.</div><div><br></div><div>The paragraph above assumes I'm trying to convince your NTP server it's a different time. If I just want to deny you time, it gets cheaper and easier. All I need is a 1.2 GHz oscillator coupled to an antenna. There are units like this available for under $10, delivered. These block GPS trackers on trucks and/or private automobiles. Build your own and you can get a watt or two to shove into a tiny antenna for not a lot more. Guaranteed to Jam anything within a couple of blocks. </div><div><br></div><div>I wish I could say this is uncommon to happen, but I have seen it time and time again with customers (I design and sell GNSS Receivers used for precision timing on various WISP access points). It doesn't necessarily need to be intentional - it's not uncommon for a radio transmitter to fail so that it puts a spur out on 1.2 GHz and/or other GNSS bands. Two particular recent events happened in January and October of last year. In the first, a transmitter started emitting noise on the L1 band near DIA airport, wiping out GPS on the ground for a 50-mile radius and 230 miles in the air. It took 33 hours to find and resolve this particular issue. See <a href="https://www.cisa.gov/sites/default/files/publications/CISA-Insights_GPS-Interference_508.pdf">https://www.cisa.gov/sites/default/files/publications/CISA-Insights_GPS-Interference_508.pdf</a> . In the second, similar event, around DFW, an as-yet unidentified noise source took out GPS for 24 hours - although it took another 20 hours for everything to recover. </div><div><br></div><div>There was a recent event at a site in California that I was peripherally involved with (as the vendor of an affected GPS device) where a commercially available microwave point-to-point link started emitting signals in the GPS band and took out GPS for an extended period at the site. In that case, every single GPS receiver at the site could not receive GPS signals until the errant radio was determined and shut down. It took a while as it required a lot of "turn off equipment one by one until the signal goes away" troubleshooting.</div><div><br></div><div>I agree that GPS timing vendors are continuously striving to improve the reliability and interference robustness of their GPS systems. There are definitely really cool solutions on the market today, for example Microchip Technologies's bluesky GPS firewall which develops it's own internal clock, and then uses that to deliver precision time downstream by transmitting an internally-developed GPS signal (just like a spoofer would). But most people who develop their GPS time don't select vendors with this level of robustness. Instead they almost always use a commerical off the shelf GPS module which lack many of the features you describe.</div><div><br></div><div>A good reference on how to harden GPS systems is at <a href="https://www.cisa.gov/sites/default/files/2023-02/Improving_the_Operation_and_Development_of_Global_Positioning_System_%28GPS%29_Equipment_Used_by_Critical_Infrastructure_S508C.pdf">https://www.cisa.gov/sites/default/files/2023-02/Improving_the_Operation_and_Development_of_Global_Positioning_System_%28GPS%29_Equipment_Used_by_Critical_Infrastructure_S508C.pdf</a> . </div><div><br></div></div><div dir="auto"></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Aug 9, 2023, 12:52 PM Mel Beckman <<a href="mailto:mel@beckman.org" target="_blank">mel@beckman.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
While GPS spoofing is technically possible, all the extant spoofing only tampers with the ephemeris (satellite position) data, not the timing stream. That's because hackers have been aiming at navigation, and may not have expressed interest in GPS tampering
when NTP tampering is so easy <span id="m_118859705805738646m_-3610301613643180114🙂">🙂</span></div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<span><br>
</span></div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
To spoof GPS clocks, a hacker has to know where the antennas are, and get above them in order to inject a signal with the right directionality. Commercial GPS clock vendors have implemented various anti-spoofing measures that, for example, only accept signals
from a certain cone of visibility, which faces up. They have other measures too, some of which exploit geographic diversity, so if you can have two or more GPS clocks in different hub sites, the clocks will reject spoofing signals. </div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
This seems like a much easier defense than deploying secure NTP (NTS), which adds a huge amount of complexity. At least one researcher has shown that poluting the existing public NTP pool with enough bogus servers to seriously impact network time is trivial
(I cited their paper in an earlier post on this thread). A well funded state actor could be laying the framework for such an attack as we speak, lying in wait until an opportunity to disrupt Internet NTP globally.</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Aptos,Aptos_EmbeddedFont,Aptos_MSFontService,Calibri,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
-mel</div>
<div id="m_118859705805738646m_-3610301613643180114appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="m_118859705805738646m_-3610301613643180114divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> NANOG <nanog-bounces+mel=<a href="mailto:beckman.org@nanog.org" rel="noreferrer" target="_blank">beckman.org@nanog.org</a>> on behalf of Jay Hennigan <<a href="mailto:jay@west.net" rel="noreferrer" target="_blank">jay@west.net</a>><br>
<b>Sent:</b> Wednesday, August 9, 2023 10:58 AM<br>
<b>To:</b> <a href="mailto:nanog@nanog.org" rel="noreferrer" target="_blank">nanog@nanog.org</a> <<a href="mailto:nanog@nanog.org" rel="noreferrer" target="_blank">nanog@nanog.org</a>><br>
<b>Subject:</b> Re: NTP Sync Issue Across Tata (Europe)</font>
<div> </div>
</div>
<div><font size="2"><span style="font-size:11pt">
<div>On 8/9/23 09:29, Seth Mattinen via NANOG wrote:<br>
<br>
> I liked having a WWVB receiver in my mix, but all the hardware <br>
> appliances (at least those offering OCXO or Rubidium oscillator options) <br>
> seem to have rejected it in favor of GPS only. I can only conclude that <br>
> either vendors think options like WWVB are a dead end or there's no <br>
> demand for GPS alternatives.<br>
<br>
Both GPS and WWVB are over-the-air. There has been concern expressed of <br>
a bad actor spoofing or jamming GPS. Comparatively speaking, jamming or <br>
spoofing WWVB is a trivial joke.<br>
<br>
-- <br>
Jay Hennigan - <a href="mailto:jay@west.net" rel="noreferrer" target="_blank">jay@west.net</a><br>
Network Engineering - CCIE #7880<br>
503 897-8550 - WB6RDV<br>
<br>
</div>
</span></font></div>
</div>
</blockquote></div>